Transparent Proxy Exercise

Eksports

Exercise: Tunnelling and TCPMon

Set up tunneling. Depending on the operating system of "myhomepc" use either Putty or ssh to set up tunnel from "myhomepc" to the VMWare instance "myserver". In the case of PuTTY, you can open "Session" in the left navigation bar; type in the IP address of your VMWare, and leave the default port number (22). Then open Connection->SSH->Tunnels and pick source port "8808" and destination www.google.com:80

Unknown macro: picture.The "picture" macro is not in the list of registered macros. Verify the spelling or contact your administrator.Figure: How to configure tunneling for PuTTY

In case your desktop computer is Linux, set up the tunneling as described in SSH Tunneling Guide.

On VMWare "myserver" run the tcpdump program:

tcpdump -n -i eth1 port 80

Open browser session, type in the address http://localhost:8808 . The tcpdump should print IP packets arriving to the interface eth1, port 80 corresponding to this request. Browser should display Google search page.

Transparent Proxy (do not do this)

Unknown macro: picture.The "picture" macro is not in the list of registered macros. Verify the spelling or contact your administrator.Figure: Typical data flow for a transparent proxy

Proxy Behavior

Expl.

Transp.

Ensures anonymity, hides LAN layout to the outside world

Yes

Yes

Caches the content ("Web objects" corresponding to URLs)

Yes

Yes

Replaces stale content, issue cache validation requests

Yes

Yes

Reloads content, upon pressing browser's Refresh button

Yes

Yes(1)

Filters inappropriate content

Yes

Yes

Does not require configuring each Web client

No

Yes

Uses Proxy Authorization

Yes

No

Uses Ident Protocol (RFC 1413) to check users' identity

Yes

No(2)

Can resolve DNS names on behalf of client

Yes(3)

No

Prevents IP address spoofing (RFC2267)

Yes

No

Works for HTTP protocol on various (non-80) ports

Yes

Yes(4)

(1) Some browsers may not set the Cache-Control:no-cache header upon refresh, if no proxy is explicitly configured and they wrongly assume that they communicate directly with the server.
(2) The implicit proxy may not be able to open Ident protocol connection (Ident returns user's identification), since browser is not contacting the proxy.
(3) Squid resolves DNS on behalf of their clients by default.
(4) Configuring non-80 ports would require adding more rules to iptables to enable interceptors.